[SOLVED] OpenVPN site to site established - cant get any traffic to flow
-
I am having a problem with an OpenVPN connection on site to site. Simply put, I can establish a connection but cant ping or otherwise reach any hosts from either side. I was wondering if anyone could help.
First off, heres a diagram of what I have setup. It should be very typical, the main reason I made it is so that people can easily see what IPs are on what interfaces on each side etc:
Here is what I have done step by step:
- Downloaded pfsense usb .IMG, create the usb drive.
- Installed on a spare PC with 2x NICs for site A (work)
- Assigned NICs to WAN/LAN. Set static IP’s thu the web interface
- Confirmed internet connectivity with a Test PC on the LAN (using pfsense as gateway etc)
Repeated steps 1 - 4 for site B except using DHCP for WAN (my home for testing purposes atm)
- Setup Open VPN on server side – site to site, shared key, TCP, tun, port 1194, default encryption, used 192.168.80.0/24 for tunnel network, put in necessary LANs etc.
- Setup Open VPN on client side – same settings and copied shared key generated from server Site A
Sites did not connect until I created rules for both WAN and OpenVPN on both sites to allow port 1194.
The 2 sites now say the OpenVPN connection is up. I cannot however ping or access anything from either side.
I have since created any/any rules on all interfaces just for testing purposes, still no traffic will pass.
I have added push "route 10.0.0.0 255.255.255.0"; to the server side. It took that fine.
I have added route 10.0.0.0 255.255.255.0; to the client side, but I get this error:
“FreeBSD route add command failed: external program exited with error status: 1”
I rebooted the client side and it reestablished the openvpn connection without showing this error, but it will show it again if I try to change the route rule on it.Any tips on how to troubleshoot this and get it working would be GREATLY appreciated. Thank you so much!
-
Did you enter 10.80.12.0/24 under VPN > OpenVPN > Tunnel Settings > Local network?
-
I assume you mean VPN > OpenVPN > Server > Edit (on the server side?) if so, I believe I put the correct settings, but I did not put "10.80.12.0"
(My two LANs are 10.8.12.0/24(server) and 10.80.1.0/24(client))
-
Sites did not connect until I created rules for both WAN and OpenVPN on both sites to allow port 1194.
Did you allow anything else on OpenVPN-tab? try to allow any any
-
I have tcp/udp any/any rules added for all 3 interfaces (WAN, LAN, OPENVPN) on both sides.
-
OMG ITS WORKING I almost peed my pants!
I changed my any/any rules to have any for protocol instead of TCP or UDP and it works!!!!!!!
What a great way to start the weekend. ;D Im sorry for wasting peoples time for being a bit dense. I will say that I read a handful of OpenVPN on pfsense guides and I dont think any of them were specific about "any" in the protocol area for rules. (but I could have misread)
Thank you everyone.
Now I get to see if I can get bridging to work!!!!
-
I have only a little experience with OpenVPN but I think the following is wrong:
@hardware_failure:I have added push "route 10.0.0.0 255.255.255.0"; to the server side. It took that fine.
I have added route 10.0.0.0 255.255.255.0; to the client side, but I get this error:You are trying to push routes to the other side so the other side knows what networks to route over the tunnel. Consequently on the server side I think you need:
push "route 10.8.12.0 255.255.255.0"
so the client knows to route 10.8.12.0/24 over the VPN and on the client side I think you need
push "route 10.80.1.0 255.255.255.0"
so the server knows to route 10.80.1.0/24 over the VPN.
Note that the inter-site VPN traffic won't match any of the routes you specified!
I have just your post that you got things working. Maybe the routes are needed only for networks BEYOND the networks of the two endpoints. I suggest you check the routing tables in the pfSense at each end of the VPN. You might have superfluous routes that currently do no harm but might trip you up in the future.
-
was my problem the fact that ping is ICMP and wont work with only TCP and/or UDP being open? Or has anyone else been able to ping with tcp any/any rules?
I will check my routing tables as wallabybob suggested.
Thanks so much everyone.
-
was my problem the fact that ping is ICMP and wont work with only TCP and/or UDP being open?
That was a problem. PING runs on ICMP, ICMP is not UDP and ICMP is not TCP.
Depending on your trust level between the networks you might want to add a rule for ICMP and tighten up the protocol=any rule.
-
That was a problem. PING runs on ICMP, ICMP is not UDP and ICMP is not TCP.
Depending on your trust level between the networks you might want to add a rule for ICMP and tighten up the protocol=any rule.
Not only am I happy that it works but it feels even better to understand what it was. Yes, that would be a good idea to add the ICMP and other rules instead of just leaving the any/any. I received support from cisco a while back on a device that I inherited responsibility of.. he saw an any any rule and scolded me a bit.. but then later also told me that it was unfortunately a common mistake people make.
Thanks again for the help.
-
I have only a little experience with OpenVPN but I think the following is wrong:
@hardware_failure:I have added push "route 10.0.0.0 255.255.255.0"; to the server side. It took that fine.
I have added route 10.0.0.0 255.255.255.0; to the client side, but I get this error:You are trying to push routes to the other side so the other side knows what networks to route over the tunnel. Consequently on the server side I think you need:
push "route 10.8.12.0 255.255.255.0"
so the client knows to route 10.8.12.0/24 over the VPN and on the client side I think you need
push "route 10.80.1.0 255.255.255.0"
so the server knows to route 10.80.1.0/24 over the VPN.
Note that the inter-site VPN traffic won't match any of the routes you specified!
I have just your post that you got things working. Maybe the routes are needed only for networks BEYOND the networks of the two endpoints. I suggest you check the routing tables in the pfSense at each end of the VPN. You might have superfluous routes that currently do no harm but might trip you up in the future.
You mix up two concepts.
route entries are for site-to-site (p2p since 2.0)
they are used to adjust the local routing table when the tunnel comes up.
since they only adjust the local table you need such an entry on bozh sides for the remote subnet.push routes are used in a PKI.
with it the server can adjust the routing table of a connecting client.
–> you only use push routes on the server. subsequently the clients dont need any route entries.if you need a route on the server pointing to a client for a subnet you would use the iroute directive. (basically the same as route but for a PKI.
(grrr damm mobile phone keyboards....) -
Thanks. That makes sense… I think ;)
Im obviously not a networking guru but I have learned alot with this project alone.
I got bridging to work. I had troubles with routes (imagine that) when using different subnets. I put both sites on the same subnet and bridging is working beautifully. In fact Im amazed - it really is like being plugged into the same l2 switch. I put a test pc from site B (client) onto the domain at site A (server), mapped network drives, sql data sources, networked printers, the works. Local DNS and DHCP even work. Very, very cool.
As always Im grateful for the help, and now hooked on pfsense! Time to go shopping for some 1U bare bones…